A customer recently asked, “In most VSS articles, the recommendation is for the VSS password to match the domain password. In short, since the VSS users database is (a) difficult to secure from VSS users, and (b) passwords are stored plain-text, I wondered if this is really a good idea. “
This query prompted me to generate the following password guidelines for VSS. If you have other suggestions, please add a comment. I am not a security expert, by any means. Also, Andrew provides a great primer on Safe Computing that is a must-read.
SourceSafe Password Guidelines
1. Don’t use the same computer password twice. Your domain password should differ from your VSS password.
2. Include one number and one character in your password.
3. Don’t leave your passwords on a post-it on your monitor.
4. Be paranoid.
5. Change passwords for the guest and Admin users as soon as you create a new VSS database.
6. Don’t forget the Admin user’s password…ever.
7. Strictly limit access to the Admin user’s password. One Admin is safest. Two Admins is wise (see Rule #4). Three Admins is neither safe nor wise.
8. Write your password down in at least two places…in case you lose one of them or forget where it is.
9. Don’t send your password by email, IM, or pigeon. Most pigeons have links to sophisticated underworld crime syndicates. If you don’t believe this, go rent Ghost Dog: The Way of the Samurai.
If your network is secure, your SourceSafe databases are secure as well. In Avoiding the VSS Login Prompt, I warned that, “team members should be FORBIDDEN to use the same password in VSS as they do for their network account since anyone with administrative access to the VSS database can obtain it.“ This statement is true, but only partially so. It’s partially true because VSS Passwords are encrypted. Nonetheless, a knowledgeable insider with unlimited time can do amazing things. If in doubt, see rule #4.
For more information about how to optimize the security of your VSS databases, see VSS Security Tip and Introduction to Visual SourceSafe Database Security.
[minor edit on 1/22 at 1310hrs by KorbyP)
This posting is provided “AS IS” with no warranties, and confers no rights.